ScannersMCP / Agent Security

MCP and Agent Security

Sentinel MCP and agent checks validate tool permissions, manifests, schemas, server instructions, network reachability, and live MCP discovery output.

Definition

Sentinel MCP and Agent Security is a validation workflow for autonomous AI systems. It checks whether tools, prompts, resources, permissions, network paths, and MCP transports match the trust boundary intended by the application owner.

Trust boundaries

Agents create risk when a model can convert text into actions. Sentinel focuses on the boundary between user input, model reasoning, tool call, server execution, and external systems.

Operational checklist

Tool allowlists and permission scopes
MCP server instructions and prompts
Resource exposure and authentication metadata
Network egress and internal service reachability

Schema hygiene

Tool schemas should be treated as security controls, not documentation. A vague schema gives the model too much freedom and makes injection easier to operationalize.

Operational checklist

Use narrow JSON schemas with required fields
Validate server-side before executing actions
Reject free-form command, path, and URL arguments unless allowlisted

Live MCP discovery

Static manifests are not enough when live servers expose additional tools, prompts, or resources. Run live scans against HTTP JSON-RPC or stdio servers before production.

Operational checklist

Compare manifest expectations to discovered runtime capabilities
Record auth metadata and readiness signals
Block unexpected tools before connecting production agents

OWASP Agentic AI Security Top 10 — 2026

OWASP published the Agentic AI Security Top 10 for 2026, covering unique risks of autonomous systems. Sentinel MCP and agent checks map directly to multiple items in this list.

Operational checklist

ASI01 Memory Poisoning — RAG and context window manipulation, retrieval store injection
ASI02 Tool/Resource Misuse — overbroad tool permissions, confused deputy, schema bypass
ASI03 Goal and Instruction Misalignment — system prompt overrides, conflicting principals
ASI04 Unsafe Multi-Agent Interaction — inter-agent trust assumptions, unvalidated delegation
ASI05 Human Oversight Bypass — automated irreversible action without approval gate
ASI06 Sensitive Information Disclosure — data exfiltration via tool calls or context leakage
ASI07 Privilege Escalation — agent re-uses or inherits credentials beyond intended scope
ASI08 Uncontrolled Recursion — runaway agent loops, token and compute exhaustion
ASI09 Inadequate Logging and Monitoring — no audit trail for multi-step agent actions
ASI10 Unsafe System Interaction — insecure subprocess, OS calls, or shell command injection

MCP tool poisoning and confused deputy

Invariant Labs demonstrated MCP tool poisoning where a malicious MCP server embeds hidden instructions inside tool description fields. When the model reads these descriptions, it processes embedded attacker instructions as context. The confused deputy problem arises when an agent acting with high privilege executes actions on behalf of lower-trust input without re-authorization.

Operational checklist

Tool description poisoning: hidden instructions embedded in JSON schema description fields (Invariant Labs mcp-injection-experiments)
Confused deputy: agent acts for attacker-controlled content with higher privilege than the originating principal intended
MCP-Scan (Invariant Labs): live scanner for tool poisoning, schema hygiene, and server instruction analysis
SlowMist MCP Security Checklist: transport, authentication, schema, capability, and logging hygiene requirements
mcp-context-protector: context isolation tooling for production MCP deployments
OWASP MCP Security Cheatsheet 2025: authorization, scope, transport, and update management controls

Commands

sentinel agent ./agent/
sentinel mcp scan ./mcp-manifest.json
sentinel mcp scan --url http://localhost:3000/mcp
sentinel mcp scan --stdio-command npx my-mcp-server

Expected output

Output should carry rule ID, severity, surface, evidence, and release decision in a way other teams can understand.

server: local-mcp
tools_discovered: 12
findings:
  - MANIFEST-OVERBROAD-TOOLS HIGH file_write grants project root
  - NET-PRIVATE-RANGE-EGRESS MEDIUM tool can call internal network range

FAQ

What is excessive agency?

Excessive agency appears when the model has more tools, permissions, network access, or action authority than the use case requires.

What should the finding include?

Include the MCP server, tool name, schema or permission field, observed capability, owner, and retest command.

What is MCP tool poisoning?

Tool poisoning occurs when an attacker embeds hidden instructions inside MCP tool description fields. The model processes these as context during tool selection, allowing the attacker to redirect model behavior without changing the visible user interface. Defenses include schema validation, description allowlisting, server authentication, and live scanning before connecting production agents.

References

Eresus support

Turn the finding into an action your team can actually close.

If you need exploit evidence, prioritization, remediation direction, and retesting for MCP and Agent Security, Eresus can help scope the work with your team.

Start Security Test

PreviousTedarik Zinciri / AIBOM NextRuntime Gateway